Friday, May 11, 2007

In the default configuration of Apache, any error pages will contain the full signature of the server (version number) which could be exploited by hackers. Each version has some deficiencies that could be exploited, and a hacker who knows your version number may benefit from it by focused attacks.

To disable server signature, you will need to edit your /etc/apache2/apache2.conf file.

sudo nano /etc/apache2/apache2.conf

Press Ctrl+w to search for "ServerSignature" and press return. If you find it, edit it to:

ServerSignature OffServerTokens Prod

If you don't find it, just scroll to the end of the file and add these two lines.

Then, we need to reload apache configuration to put this new change in effect:

sudo /etc/init.d/apache2 reload

Check the new configuration by entering an invalid address on your server URL (e.g. www.server.com/invalidpage.html). You should not see the server signature now, just the server name.